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DETAILED ACTION 

Continued Examination Under 3 7 CFR 1.114 

1 . A request for continued examination under 37 CFR 1.114, including the fee set forth in 
37 CFR 1.17(e), was filed in this application after final rejection. Since this application is 
eligible for continued examination under 37 CFR 1.1 14, and the fee set forth in 37 CFR 1.17(e) 
has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 
37 CFR 1.114. Applicant's submission filed on 3/13/2007 has been entered. 

Response to Arguments 

2. In response to communications filed on 3/13/2007, applicant amends claims 1, 5, 13, 14, 
21-23; the following claims 1-23 are presented for examination. 

2.1 Applicant's arguments, pages 11-13, filed on 3/13/2007, with respect to the rejection of 
claims 1-23 have been fully considered, but they are not persuasive. Applicant has deleted "an 
additional authentication request is sent from the information processing apparatus" to overcome 
the 1 12 th rejection first paragraph. However, Applicant's response still fails to show that the 
additional request (second request) is sent only if the decrypted result corresponds to the first 
data item. Applicant recites, 
"the specification page 9, lines 3-9 state in part 

"the certificate 58 includes a digital signature of a certification authority which generates the 
private key and the public key." and page 10, lines 8-12 states 
"[wlhen the WWW server 3 receives the digital signature, the WWW 

server 3 decrypts the digital signature by using the public key written into the user certificate 
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received in advance. When the decryption is successfully performed, it is determined that the 
legitimate user terminal 4 has requested the electronic priced information" (emphasis added). 
In this example, the digital signature was created by the authentication apparatus using the 
private key. See the specification on page 9 lines 20-27. A person having ordinary skill in 
the art would understand that the decrypted result would have to correspond to the first data 
item, the certificate 58 which includes a digital signature to compare against." 

Examiner respectfully disagrees disagrees with Applicant's interpretation of "when the 
decryption result is successfully performed" to equate the decrypted result corresponds to the 
first data item. There is no description of comparing the decrypted digital signature with digital 
signature previously received. On the other hand, this passage shows that server 3 (information 
processing apparatus) by performing the decryption of the digital signature using the public key 
corresponding to the user , the server 3 determines the legitimacy of the user because the 
authentication apparatus (server 6) encrypts the digital signature using the private key 
corresponding to the user. There is no disclosure of comparing the decrypted digital signature 
with a previous digital signature (first data item). Determining the legitimacy of the user is 
determining that the party performing the encryption is who that party intends to be because the 
public key of the user corresponds to the private key pair of the user. Applicant even states on 
page 12 last paragraph of the remarks that as the private key corresponding to the user ID is used 
for decryption, authentication of the user is performed. Therefore, the 1 12th rejection has still 
not overcome with respect to the amendment. The claim further recites "only when the user has 
been authenticated in response to the additional authentication request the information apparatus 
the authentication apparatus performs processing using the private key corresponding to the user 
for making th e information proc e ssing apparatus authenticate the user", although applicant 
deletes part of the claim, the claim has still not overcome the 1 12 th rejection because the user has 
not been authenticated twice with a private key in response to the additional authentication 
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request as previously amended. See applicant's specification (page 12, lines 16-22) explaining 
the advantages of first authentication request not in response to the additional authentication 
request. Applicant states, 

"The specification goes on to state, on page 1 1 lines 19-25, "[tlhe CPU 46 of the security 

server 6 receives the result of authentication sent from the encryption module 23 . . . [wlhen 
the CPU 46 confirms (in step SP45) from the result of authentication that the IC card 8 has 

been successfully authenticated , it obtains the private key corresponding to the user ID . . . 
and decrypts the encrypted electronic priced information by using the private key." 
Therefore, an additional authentication step is performed." 

The citation above shows authentication of the card not the user. 

In view of the above, applicant has not overcome the 1 12 th rejection first paragraph. Applicant 

states that the claims have been amended to recite "for decryption and storage" and Audebert's 

IC card only provides security keys and not storing transaction data. Examiner respectfully 

disagrees. The IC card of Audebert also contains memory. It is well known that memory is used 

to store data and this limitation is an intended use and would still be an obvious modification 

over Audebert. Upon further consideration, a new ground of rejection is set forth below in view 

of Audebert. 

Claim Rejections - 35 USC § 112 

3. The following is a quotation of the first paragraph of 35 U.S.C. 112: 

The specification shall contain a written description of the invention, and of the manner 
and process of making and using it, in such full, clear, concise, and exact terms as to enable any 
person skilled in the art to which it pertains, or with which it is most nearly connected, to make 
and use the same and shall set forth the best mode contemplated by the inventor of carrying out 
his invention. 
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3.1 Claims 1, 5, 13, 14, 21, 22, and 23 and the intervening claims are rejected under 35 
U.S.C. 112, first paragraph, as failing to comply with the written description requirement. The 
claims contains subject matter, which was not described in the specification in such a way as to 
reasonably convey to one skilled in the relevant art that the inventor(s), at the time the 
application was filed, had possession of the claimed invention. Applicant's disclosure fails to 
recite "comparing the decrypted result with the first data item" and "wherein the additional 
authentication request is sent only if the decrypted result corresponds to the first data item" and 
wherein, only when the user has been authenticated in response to the additional authentication 
request, the authentication apparatus performs processing using the private key corresponding to 
the user to authenticate the user". There is no disclosure of comparing the decrypted digital 
signature with a previous digital signature (first data item). Determining the legitimacy of the 
user is determining that the party performing the encryption is who that party intends to be 
because the public key of the user corresponds to the private key pair of the user. Applicant even 
states on page 12 last paragraph of the remarks that as the private key corresponding to the user 
ID is used for decryption, authentication of the user is performed. There is no disclosure of the 
user being authenticated twice with a private key in response to the additional authentication 
request. Therefore, the specification does not describe the steps above as claimed. As 
mentioned above, there is no description of an additional authentication request from the 
information processing apparatus (server 3). 



Claim Rejections - 35 USC § 103 
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4. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or 
described as set forth in section 102 of this title, if the differences between the subject matter 
sought to be patented and the prior art are such that the subject matter as a whole would have 
been obvious at the time the invention was made to a person having ordinary skill in the art to 
which said subject matter pertains. Patentability shall not be negatived by the manner in which 
the invention was made. 

Claims 1-23 are rejected under 35 U.S.C. 103(a) as being unpatentable over US Patent 
6,694,436 to Audebert in view of Foreign Patent Application GB 2261538 A to Carden 
(publication date 19.05.1993). 

As per claim 1 , Audebert substantially discloses a user authentication system, 
comprising: an integrated circuit card that meets the recitation of a data holding medium for 
holding a common key unique to a user, used in a common-key encryption method, for example 
(see column 21, lines 17-21); for authentication between the data holding medium held by the 
user and a terminal module that meets the recitation of authentication apparatus (see column 26, 
lines 38-42); said authentication apparatus for holding the common key used in the common key 
encryption method and a private key corresponding to the user used in a public-key encryption 
method, for example (see column 21, line 45 through column 22, line 20); for authentication 
between the data holding medium and a server or PC to perform a service to the user (see column 
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11, lines 10-29; column 12, lines 56-69 and column 24, lines 39-61); an information processing 
apparatus connected to the authentication apparatus in an always-communicable manner and 
provided with a function for performing authentication by the public-key encryption method, for 
example (see column 11, lines 10-29; column 12, lines 42-69 and column 24, lines 39-61); 
wherein said authentication apparatus is configured to receive a first data item, wherein the first 
data item is associated with a first authentication request from said information processing 
apparatus and wherein said authentication apparatus is configured to authenticate the data 
holding medium by using the common key in response to the first authentication request (see 
column 21, lines 28-38); wherein said authentication apparatus is further configured to encrypt 
only if the data holding medium is authenticated in response to the first authentication request, 
the first data item using the private key associated with the user and to send the encrypted first 
data item to the information processing apparatus (see column 21, line 50 through column 22, 
line 20); wherein said information processing apparatus is configured to decrypt the encrypted 
first data item using a public key associated with the user and to compare the decrypted result 
with the first data item (see column 22, lines 7-20); Audebert discloses that the authentication of 
the data holding medium can be performed using PIN, challenge/response or asymmetrical 
algorithm (see column 26, lines 25-45); wherein the authentication apparatus performs 
authentication, authenticating the data holding medium by using the common key used in the 
common key encryption method for the user held by the data holding medium, in response to an 
additional authentication request sent from the information processing apparatus, wherein the 
additional authentication request is sent only if the decrypted result corresponds to the first data 
item (see column 21, line 59 through column 22, line 20); and, only when the user has been 
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authenticated, in response to the additional authentication request the authentication apparatus 
performs processing using the private key corresponding to the user for making the information 
processing apparatus authenticate the user for example (see column 21, line 45 through column 
22, line 20). Audebert discloses the authentication apparatus has means for authenticating the 
source and integrity of data received from the sender and further discloses using public-key 
encryption for secure communication (see column 23, line 55 through column 24, line 22 and 
column 24, lines 23-64) that meets the recitation of wherein information encrypted by the public- 
key encryption method is sent from the information processing apparatus, forwarded to the 
authentication apparatus, decrypted using the private key corresponding to the user, so as to 
obtain decrypted information (see also column 21, lines 10-27 and lines 40-45 and column 25, 
lines 37-45); and discloses common key encryption method between the holding medium and 
the authentication apparatus that meets the recitation of wherein the decrypted information is 
encrypted means using the common key and wherein the obtained common key encrypted 
information is sent back to the data holding medium (see column 24, lines 40-45). Audebert 
discloses a secure downloading in another embodiment wherein authentication apparatus 
performing processing using the private key corresponding to the user, this process of loading is 
performed upon assuring the integrity of the source and the user that requires an additional 
authentication request (see column 23, line 25 through column 24, line 38). Audebert clearly 
discloses the scope of the claimed invention as claimed and further suggests encrypting all data 
exchange between the modules (see column 24, lines 55-61) and further states encryption and 
signature mechanisms may be performed by any cryptographic techniques as known in the art 
(see column 12, lines 26-35). Although the steps are not explicitly disclosed with the exact 
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orders as claimed, it would only require routine skill in the art to write the steps of the claimed 
invention using the encryption and authentication methods exchanged between the authentication 
apparatus, the holding medium, and information processing apparatus and the suggestions 
disclosed by Audebert. Therefore, it would have been obvious to one of ordinary skill in the art 
at the time the invention was made to have information processing apparatus encrypting data and 
forwarding it for verification to the authentication apparatus since Audebert suggests that the 
holding medium does not have the cryptographic capabilities for signature, that the 
authentication apparatus contains (column 21, lines 10-26) and if data is verified sending it to the 
holding medium as suggested by Audebert (columns 23-24). One of ordinary skill in the art 
would have been motivated to do so as suggested by Audebert in order to perform a secure 
downloading of information into the medium that includes mutual authentication of all the 
modules involved (see column 23, lines 1-27). Although Audebert is silent about the card being 
used for decryption and storage of transaction information, Audebert suggests that the card has 
memory and the card is not limited to a given form of tool enabling the use of cryptographic 
functions (see column 27, lines 25-31). It is notoriously well known that smartcard has 
capability for transaction information storage. Carden in an analogous art teaches a transaction 
authentication system comprises an IC card and a terminal wherein encrypted transaction data is 
transferred to the card and the card has encryption/decryption capability (using common key 
encryption or RSA public key encryption) for decrypting transaction data and a memory for 
storing transaction data in order to provide key verification and an audit trail of the transaction 
(see page 7, second paragraph, abstract, and pages 1-6 for detailed disclosure). Therefore, it 
would have been obvious to one of ordinary skill in the art at the time the invention was made to 
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provide capability for transaction information storage in Audebert so as to provide authentication 
of transaction data while keeping an audit trail of the transaction data in the card as suggested by 
Carden. 

As per claims 2 and 6, Audebert discloses a user who carries an integrated circuit card 
that meets the recitation of a data holding medium that is portable (see column 21, lines 17-21). 

As per claims 3, 9, and 19, Audebert discloses the limitation of wherein the information 
processing apparatus is a mobile communication apparatus, for example (see column 27, lines 5- 
18). 

As per claims 4, 8, and 18, Audebert discloses wherein the data holding medium and the 
information processing apparatus are integrated as one unit (see column 11, lines 30-33). 

As per claim 7, Audebert discloses wherein the user authentication request is sent from 
an information processing apparatus (see column 12, lines 47-55 and column 13, lines 45-46). 

As per claim 5, Audebert substantially discloses a user authentication method for a user 
who carries an integrated circuit card that meets the recitation of a data holding medium for 
holding a common key unique to a user, used in a common-key encryption method, for example 
(see column 21, lines 17-21); for authentication between the data holding medium held by the 
user and a terminal module that meets the recitation of authentication apparatus (see column 26, 



Application/Control Number: 09/846,522 Page 1 1 

Art Unit: 2136 

lines 38-42) and a private key used in a public-key encryption method to the authentication 
between the data holding medium and a server or PC to perform a service to the user (see column 
11, lines 10-29; column 12, lines 56-69 and column 24, lines 39-61); a method comprising: 
authenticating a data holding medium of a user by the common key encryption method using the 
common key held by the data holding apparatus in response to an authentication request from the 
server (see column 13, lines 43-60 and column 26, lines 25-45); receiving a first data item 
wherein the first data item is associated with the authentication request from the server (see 
column 26, lines 25-45); and performing only when the data holding apparatus of the user has 
been authenticated processing for authenticating the data holding apparatus of the user by a 
public-key encryption method (see column 26, lines 25-45 and column 21, line 45 through 
column 22, line 20); receiving a second data item, wherein the second data item is encrypted by 
the server using the public-key of the user: decrypting the second data item using the private-key 
of the user; encrypting the decrypted second data item using the common key: and sending the 
result of encrypting the decrypted second data item to the data holding apparatus (see column 21, 
line 45 through column 22, line 20); and see also another embodiment in columns 23-24). 
Although the steps are not explicitly disclosed with the exact orders as claimed, it would only 
require routine skill in the art to write the steps of the claimed invention using the encryption and 
authentication methods exchanged between the authentication apparatus, the holding medium, 
and information processing apparatus and the suggestions disclosed by Audebert. Therefore, it 
would have been obvious to one of ordinary skill in the art at the time the invention was made to 
have information processing apparatus encrypting data and forwarding it for verification to the 
authentication apparatus since Audebert suggests that the holding medium does not have the 
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cryptographic capabilities for signature, that the authentication apparatus contains (column 21, 
lines 10-26) and if data is verified sending it to the holding medium as suggested by Audebert 
(columns 23-24). One of ordinary skill in the art would have been motivated to do so as 
suggested by Audebert in order to perform a secure downloading of information into the 
medium that includes mutual authentication of all the modules involved (see column 23, lines 1- 
27). Although Audebert is silent about the card being used for decryption and storage of 
transaction information, Audebert suggests that the card has memory and the card is not limited 
to a given form of tool enabling the use of cryptographic functions (see column 27, lines 25-31). 
It is notoriously well known that smartcard has capability for transaction information storage. 
Carden in an analogous art teaches a transaction authentication system comprises an IC card and 
a terminal wherein encrypted transaction data is transferred to the card and the card has 
encryption/decryption capability (using common key encryption or RSA public key encryption) 
for decrypting transaction data and a memory for storing transaction data in order to provide key 
verification and an audit trail of the transaction (see page 7, second paragraph, abstract, and 
pages 1-6 for detailed disclosure). Therefore, it would have been obvious to one of ordinary skill 
in the art at the time the invention was made to provide capability for transaction information 
storage in Audebert so as to provide authentication of transaction data while keeping an audit 
trail of the transaction data in the card as suggested by Carden. 

As per claims 10-11 and 16, Audebert discloses wherein the data holding apparatus is an 
IC card (see column 21, lines 17-21). 
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As per claim 12, Audebert discloses wherein the information processing apparatus has a 
communication function, a browser function for accessing information on the Internet and a 
reader and writer function for reading and writing the IC card (see column 12, line 56 through 
column 13, line 11). 

As per claim 13, Audebert substantially discloses a user authentication method for a user 
who carries an integrated circuit card that meets the recitation of a data holding medium for 
holding a common key unique to a user, used in a common-key encryption method, for example 
(see column 21, lines 17-21); for authentication between the data holding medium held by the 
user and a terminal module that meets the recitation of authentication apparatus (see column 26, 
lines 38-42) and a private key used in a public-key encryption method to the authentication 
between the data holding medium and a server or PC to perform a service to the user (see column 
11, lines 10-29; column 12, lines 56-69 and column 24, lines 39-61); receiving a first data item 
wherein the first data item is associated with the authentication request from the server (see 
column 26, lines 25-45); and performing only when the data holding apparatus of the user has 
been authenticated in response to the first authentication request processing for authenticating 
the data holding apparatus of the user by a public-key encryption methods wherein the 
processing includes encrypting the first data item using a private-key of the user and sending the 
encrypted first data item to the server, wherein the server decrypts the encrypted first data item 
using a public-key of the user and compares the decryption result with the first data item: 
processing for authenticating the data holding apparatus of the user by a public-key encryption 
method (see column 13, lines 43-60 and column 21, line 45 through column 22, line 20); 
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Audebert discloses that the authentication of the data holding medium can be performed using 
asymmetrical algorithm (see column 26, lines 25-45); authenticating in response to an additional 
authentication request sent from the information processing apparatus, the data holding apparatus 
by using the common key used in the common key encryption method for the user (see column 
21, line 59 through column 22, line 20); and, only when the user has been authenticated, in 
response to the additional authentication request the authentication apparatus performs 
processing using the private key corresponding to the user for making the information processing 
apparatus authenticate the user for example (see column 21, line 45 through column 22, line 20). 
Audebert discloses the authentication apparatus has means for authenticating the source and 
integrity of data received from the sender and further discloses using public-key encryption for 
secure communication (see column 23, lines 55 through column 24, line 22 and column 24, lines 
23-64) that meets the recitation of wherein information encrypted by the public-key encryption 
method is sent from the information processing apparatus, forwarded to the authentication 
apparatus, decrypted using the private key corresponding to the user, so as to obtain decrypted 
information (see also column 21, lines 10-27 and lines 40-45 and column 25, lines 37-45); and 
discloses common key encryption method between the holding medium and the authentication 
apparatus that meets the recitation of wherein the decrypted information is encrypted means 
using the common key and wherein the obtained common key encrypted information is sent back 
to the data holding medium (see column 24, lines 40-45). Audebert discloses a secure 
downloading in another embodiment wherein authentication apparatus performing processing 
using the private key corresponding to the user, this process of loading is performed upon 
assuring the integrity of the source and the user that requires an additional authentication request 
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(see column 23, line 25 through column 24, line 38). Audebert clearly discloses the scope of the 
claimed invention as claimed and further suggests encrypting all data exchange between the 
modules (see column 24, lines 55-61) and further states encryption and signature mechanisms 
may be performed by any cryptographic techniques as known in the art (see column 12, lines 26- 
35). Although the steps are not explicitly disclosed with the exact orders as claimed, it would 
only require routine skill in the art to write the steps of the claimed invention using the 
encryption and authentication methods exchanged between the authentication apparatus, the 
holding medium, and information processing apparatus and the suggestions disclosed by 
Audebert. Therefore, it would have been obvious to one of ordinary skill in the art at the time 
the invention was made to have information processing apparatus encrypting data and 
forwarding it for verification to the authentication apparatus since Audebert suggests that the 
holding medium does not have the cryptographic capabilities for signature, that the 
authentication apparatus contains (column 21, lines 10-26) and if data is verified sending it to the 
holding medium as suggested by Audebert (columns 23-24). One of ordinary skill in the art 
would have been motivated to do so as suggested by Audebert in order to perform a secure 
downloading of information into the medium that includes mutual authentication of all the 
modules involved (see column 23, lines 1-27). Although Audebert is silent about the card being 
used for decryption and storage of transaction information, Audebert suggests that the card has 
memory and the card is not limited to a given form of tool enabling the use of cryptographic 
functions (see column 27, lines 25-31). It is notoriously well known that smartcard has 
capability for transaction information storage. Carden in an analogous art teaches a transaction 
authentication system comprises an IC card and a terminal wherein encrypted transaction data is 
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transferred to the card and the card has encryption/decryption capability (using common key 
encryption or RSA public key encryption) for decrypting transaction data and a memory for 
storing transaction data in order to provide key verification and an audit trail of the transaction 
(see page 7, second paragraph, abstract, and pages 1-6 for detailed disclosure). Therefore, it 
would have been obvious to one of ordinary skill in the art at the time the invention was made to 
provide capability for transaction information storage in Audebert so as to provide authentication 
of transaction data while keeping an audit trail of the transaction data in the card as suggested by 
Carden. 

Claim 14 recites the similar limitations as claim 13 except for using implementing the 
claimed method of claim 13 in an authentication apparatus. Therefore claim 13 is rejected on the 
same rationale as the rejection of claim 13 and claim 1 (for also disclosing an authentication 
apparatus). 

As per claim 15, Audebert discloses wherein the authentication apparatus has a a private 
key used in a public-key encryption method, (see column 21, line 45 through column 22, line 
20). 

As per claim 1 7, Audebert discloses wherein the information processing apparatus has a 
reader and writer function for reading and writing the IC card (see column 12, line 56 through 
column 13, line 11). 
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As per claim 20, Audebert discloses wherein the information processing apparatus has a 
communication function, a browser function for accessing information on the Internet (see 
column 12, line 56 through column 13, line 11). 

Claims 21, 22 and 23 disclose similar limitations as the rejected claim 1 and are therefore 
rejected on the same rationale as the rejection of claim 1. 

Conclusion 

5. The prior art made of record and not relied upon is considered pertinent to applicant's 
disclosure. The prior art discloses IC card used for decryption and storage of transaction 
information. See PTO-form 892. 

5.1 Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Carl Colin whose telephone number is 571-272-3862. The 
examiner can normally be reached on Monday through Thursday, 8:00-6:30 PM. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Nasser G. Moazzami can be reached on 571-272-4195. The fax phone number for 
the organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
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system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would 
like assistance from a USPTO Customer Service Representative or access to the automated 
information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 

/Carl Colin/ 

Patent Examiner, A.U. 2136 
June 8, 2007 



